How to make users to explicitly agree to ToS

Is there a way to force existing users (not just new users) to check the box before logging in? I’m about to import many users into Discourse, and they won’t have checked that box, so I don’t think it will work, except maybe for new Discourse sites.

Drupal 7 has a module called Legal that saves the versions of the terms that users have agreed to. I think you can’t log-in without checking the boxes. It might be worth looking at for ideas.

@angus great work in the plugin, looks very useful. You had pointed out that the this can be helpful with GDPR compliance.

@neil and @sam pointed out that one can use the mandatory checkbox at sign-up to get users to agree with the terms.

Can you help us understand how your plugin can help with GDPR beyond the above? Can we it help cover other gaps we may be missing.

I know you’re looking for a clear, simple and short answer, but unfortunately this is a long and, in parts, complex answer. This reflects the reality that no-one yet knows how consent under the GDPR will be applied in practice.

What I can do is explain what’s going on and what you need to know in order to make an informed choice. I have given some specific suggestions on what I think you should do (see bottom).

I’m expanding on what I’ve already mentioned in various places before (including in this topic), as I think some people are still feeling a bit lost.

Consent is only one basis of handling user data in the GDPR

It’s important to understand that consent is one of six lawful bases for processing personal data in the GDPR. These are set out in Article 6.1 of the GDPR. Another relevant lawful basis is what’s called “legitimate interests” (6.1(f)). It’s also not clear how ‘legitimate interests’ will be interpreted. The UK Information Commissioner’s Office has this to say about it:

  • Legitimate interests is the most flexible lawful basis for processing, but you cannot assume it will always be the most appropriate.
  • It is likely to be most appropriate where you use people’s data in ways they would reasonably expect and which have a minimal privacy impact, or where there is a compelling justification for the processing.

To this, I would add that various uses of personal data in Discourse for security, spam prevention and stability seem quite similar to the specific legitimate interests mentioned in Recital 47 (which discusses the concept more discursively than in Article 6).

While this seems to me to be a reasonable ground to rest on for most of the processing in Discourse. There is a real possibility that some authority or court could decide that the ‘Legitimate Interests’ ground has a limited scope and is intended for emergencies and / or things like crime prevention.

Here’s an example of someone who takes a restrictive view of legitimate interests.

Some folks have also raised Article 6.1( c) “performance of a contract” as a ground for processing. Personally, I don’t think this is a great ground to rely on as:

  • What counts as a contract, and what counts as terms of the contract (i.e. whether incorporating T&C’s by reference at the time of signup counts) depends on the jurisdiction you’re working in.

  • The data controller (i.e. the forum provider) is not under a “legal obligation” to provide anything to the user, and probably would not want their relationship characterised in that way in any event. There is no quid pro quo here.

cc @RGJ

If you decide to rely on consent, it’s a high bar

It’s also important to understand that if you decide to rely on user consent as the basis for processing personal data, that:

  1. Consent must be clear, positive and unambiguous: “clear affirmative act establishing a freely given, specific, informed and unambiguous indication” (R.32).

  2. Consent must be given for each individual purpose of processing the data: “Consent should cover all processing activities carried out for the same purpose or purposes. When the processing has multiple purposes, consent should be given for all of them.” (R.33)

  3. There must be a way for the user to say no (at any time): " Consent should not be regarded as freely given if the data subject has no genuine or free choice or is unable to refuse or withdraw consent without detriment." (R.42).

See generally Article 7 of the GDPR.

Furthermore, the UK’s Information Commissioner’s Office has advised, amongst other things:

  • Keep your consent requests separate from other terms and conditions.
  • Make it easy for people to withdraw consent and tell them how.
  • Avoid making consent to processing a precondition of a service.

There are already claims under the GDPR focused on consent

The NOYB’s recent complaints under the GDPR against Google and Facebook are one example of how consent can be interpreted as a high bar in the GDPR.

For example, the complaint against Google mainly concerns ‘consent’ to terms and conditions and a privacy policy for the Android operating system when setting up a new phone.

The complaint discusses the effect of the power imbalance between the provider (i.e. Google) and the user on the user’s consent. They also make claims specific to each of the elements of consent mentioned above.

Relevant to your question, they claim:

On page 11 of its Guidelines on consent under Regulation 2016/679 (WP259) the Article 29 Working Part [sic] gives the example of “downgrading” a service when consent is not given, as a situation where there is a detriment to the data subject.

In the present case, the controller simply does not offer any service without data subject’s first agreeing to the terms and to the privacy policy. Being denied the use of any of these services could be seen as something worse than the simple downgrading of a service.

I will be watching the progress of these complaints to see how the Authorities they have been filed with respond.

So what should I do?

Personally, I think the best strategy for the legal basis of processing under the GDPR at the moment is to:

  1. Rely on legitimate interests for the processing personal data relevant to running the forum, security of the forum and ancillary matters such as spam.

    • This would cover the collection of ip-addresses for the legitimate purpose of security etc.
    • The various ways user identifiers are used in Discourse internals to make the site work are constantly changing and hard to specify in a sufficiently specific way to be ‘consented’ to.
  2. Rely on consent for the processing of email addresses for sending the digest email and / or other user notifications.

    • The user can not give consent and continue to use the service.
    • Consent can be clearly given and withdrawn at any time.
    • A user’s email is perhaps the most sensitive piece of personal data collected, and sending emails is perhaps the most ‘intrusive’ part of Discourse.

This is just a personal, non-legal, opinion that could well change based on:

  • The outcome of matters like NOYB’s filing
  • Updated advice from authorities.

So what specifically should I do?

You should update your privacy policy to reflect the strategy you’re taking in clear, readable terms and make sure users, new and old, know about it. To notify your users you could use:

  • an email.
  • a forum notice.
  • the Custom Wizard plugin.
  • the new Discourse Policy plugin.

But, if you follow what I’ve explained above, you’ll understand that personally I don’t think it’s strictly necessary to get your users to ‘consent’ to your privacy policy at this time. With respect to the GDPR such ‘consent’ may not mean much.

Regarding consent to the use of email addresses, specifically the digest, there’s a topic on that here which covers most of the relevant aspects. On whether anything needs to be done to ensure new and existing users have given explicit consent to digest emails, I am working on a feature for the Legal Tools plugin that may help in that respect. In the meantime, you have two options:

12 Likes

TL;DR I don’t agree with Angus where he argues that legitimate interest can be rested on for most of the processing in Discourse while I am convinced that most of the processing should rely on ‘performance of a contract’ and only some additional processing like collection of IP addresses and keeping statistics for spam prevention belongs to the legitimate interest category.

While I totally agree that people are focusing way to much on consent as a lawful basis for processing, I do not agree with you that legitimate interest is to be preferred (above performance of a contract) as a lawful basis for processing the personal data relevant to running the forum.

Legitimate interest is clearly meant as all processing done “in the background” or “on top” of the performance of a contract (or on top of other lawful bases like legal obligations, vital interests) to protect the interests of the controller. The examples in pages 10-12 of this document give a very clear idea of what kind of processing this lawful basis is meant for.

The pizza delivery example in the document referenced by you is, in my opinion, a bad example. It is contradicted here where the second example mentions the same situation where the address of the customer is being processed but this time as an example for ‘performance of a contract’.

Another objection against using legitimate interest as the lawful basis for processing the basic personal data, is that when providing a forum to a user is not to be seen as a contract, there cannot be a reasonable expectation of the user for processing either. The forum owner cannot just start collecting user data and sign up people for a forum, there has to be some kind of agreement where the user indicates the wish to participate in the forum. Signing up for a forum can IMO be seen as a contract and when that is the case then performance of a contract can be used as a lawful basis, eliminating the need to look further.

Last but not least, don’t forget that a user can object to processing under legitimate interest (GDPR art 21.1) which complicates things a lot.

3 Likes

Here is what I’ve done on my site. Almost the same as @neil (his post) but with explicit links:

4 Likes

To make it perfect, I’d probably hide the default clause at the bottom:

image

Also, the term “site rules” seems dispensable. I have so far not managed to target it with CSS though. Does anyone have some hints?

Isn’t this the name you give when adding the custom user field?

Yes, it is. But you can’t leave the field name blank so if you don’t want it to be displayed, you need to hide it.

In fact, I have had it hidden for over a year on my site and recently it started showing up. (This was possibly related to the redsign of the sign-up modal). I don’t remember though, whether I manually hid the Field Name back then (which would mean that I did actually manage to target it) or whether it simply didn’t show up.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.